The overwhelming desire of most organisations to customise the 'cookie cutter' style services they consume can lead to their degradation. Could the employment of the “cloud” be the catalyst that leads to greater losses by adding another story to the house of cards? It is commonplace for organisations to meet the technology needs by outsourcing IT to a specialist company.
Technology is complicated and not considered to be a core business for many, so an outsourcer is located and trusted to provided what are often become critical functions. Outsourcing may include the network, telephony, server platforms and application support to name a few areas. As part of this outsourcing information assets of an organisation are entrusted to a service provider. Staff and financial information may be stored on systems managed by a service provider and that provider may have access to other organisations’ information assets.
While increased productivity and a better focus are often touted as reasons for outsourcing IT, the reality is a lower cost point is normally the primary driver. It is forever a challenge for the service provider to deliver the same IT function to a consumer at a lower price. A consumer will want all the features they had when they did it themselves plus any offered in the provider’s service offering. Achieving this typically occurs in one of two ways:
1. The IT function being delivered is in fact not the same. It is degraded in some way - be it slower, less featured, less reliable or less available. In short providers are sometimes cheaper simply because they don't do it as well as you would do it yourself.
2. There is an economy of scale being realised by a provider by consolidating many organisations’ IT functions. This couldn't be realised by the organisations individually. This is commonplace and it is normally highlighted as the chief reason why an organisation should outsource IT.
IT is becoming a critical function to most organisations. A dairy farmer may appear isolated from technology but his tractor was designed by computers, his milk is tracked by computers, milk collection is co-ordinated by computers and he is paid by computers.
The good news is that technology is inherently quite reliable. Outages if they occur tend to be due to poor maintenance or operation. Email servers for example process email 24x7 but if the hardware is neglected for more than three years or if patches aren't applied they will fail.
Technology is often reliable because it is doing something relatively simple and has excessive capacity. Not surprisingly if you get a very capable piece of technology to do something small and simple, it will do it well for a long time.
Outsourcers can therefore take a piece of technology and share its capacity across multiple customers. Rather than having an email server processing email for one organisation, why not do it for two or more. They only need to guard against the same viral threat once and so their return on investment is much higher.
The challenge is that one customer may adversely impact another and should the system be exploited the impact is far greater as it impacts many organisations. This can be effectively addressed by using the scale to justify more comprehensive controls; implemented in a more co-ordinated fashion. In short a well formed security architecture ensures a provider can provide each customer with an effective and highly available slice of a service.
As we move from a single dedicated and tangible implementation of technology such as an email server to a more abstract black box service such as “email processing” the organisation on which this service relies loses visibility of the controls that protect it and rely more on the provider with which they have established a trust relationship.
The provider should have a well architected service that through design and implementation constraints is well protected. But how does the consumer know this is the case? Rarely do organisations audit their providers, instead perhaps trusting reference sites selected by the provider itself. Often organisations also require a level of customisation beyond what a service is intended to provide – if it was part of the service it wouldn't be a customisation. So if we have a service provider who does not allow their services to be audited but does allow extensive customisation; the provider is more likely to have inconsistencies in their service offering that result in weaknesses. As the provider becomes more popular and so has more customers it becomes more likely that one of their customers or their customers implementations will lead directly to another customer suffering a loss of service and/or information assets.
Enter cloud computing. Cloud computing provides the flexibility so that anyone can run anything on anything. The consumer will purchase a service from a provider and the provider will in turn run that service on their “cloud” of resource.
That cloud could in fact run on another cloud and so on until finally a provider in the chain runs their cloud on a collection of hardware and software that best suits their capability. This increases the possibility of a weakness occurring exponentially while greatly reducing the ability to audit. The cost of auditing four layers of nested clouds and the software and (ultimately) hardware that underpins them is likely to be cost prohibitive, not to mention a logistical nightmare.
Customisation of a cloud makes the problem greater. Each customisation risks undermining the security architecture of that layer and all layers that sit atop it.
While some may rigorously police the limitations of their service, the reality is most will bow to commercial pressures and deliver each customer the customisations they want. While controls such as encryption may go some way to protecting an end customer, these controls have been effectively bypassed on physical resources such as laptops and the underlying principles for these compromises will likely still bear fruit for the motivated attacker.
It isn't all bad news. There are very good service providers who are providing well secured virtual services to their customers. There are security professionals who can assist on the selection of these providers and assist in determining what services are and are not appropriate for cloud computing. For those organisations that ask the right questions there will be a reduced cost of ownership with potentially an increase in their security. Still the question needs to be asked of someone other than the provider themselves. Beware those that allow you to do whatever you want however you want as they are likely giving less scrupulous parties the same luxury. Certainly, low value services may be a contender for cloud computing but it would be wise to take extra care when placing your financial systems or critical information in the care of a cloud that by its very design has a varied and potential undefined set of controls protecting it.
Simon Burson is an information security consultant who has delivered operating models and governance frameworks to a range of New Zealand businesses from the finance sector to the utilities sector. He co-manages the Auckland chapter of the Information Security Interest Group and has presented at Brightstar conferences and the New Zealand Information Security Forum.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.